[strongSwan] Cannot connect from roadwarrior linux client to server with Letsencrypt cert

2021-08-03 Thread Lorenzo Milesi 
Hi.
I've setup a roadwarrior server with Strongswan 5.8.2. Windows 10 clients 
connect successfully, while Linux ones don't.
When I try to bring up the connection I get:

received end entity cert "CN=vpn01.server.it"
  using certificate "CN=vpn01.server.it"
  using trusted intermediate ca certificate "C=AT, O=ZeroSSL, CN=ZeroSSL RSA 
Domain Secure Site CA"
checking certificate status of "CN=vpn01.server.it"
  requesting ocsp status from 'http://zerossl.ocsp.sectigo.com' ...
nonce in ocsp response doesn't match
ocsp check failed, fallback to crl
certificate status is not available
no issuer certificate found for "C=AT, O=ZeroSSL, CN=ZeroSSL RSA Domain Secure 
Site CA"
  issuer is "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, 
CN=USERTrust RSA Certification Authority"
no trusted RSA public key found for 'vpn01.server.it'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 75.1.1.6[4500] to 95.1.8.6[4500] (65 bytes)
establishing connection 'vpn-vpn01' failed

In /etc/ipsec.d/cacerts I copied fullchain and ca pem files from the server.
The LE certificate has been issued using acme.sh, ZeroSSL comes from that.

I tried downloading OCSP cert directly from the website but didn't know how to 
do...

thanks.
-- 
Lorenzo Milesi - lorenzo.mil...@yetopen.com 
CTO @ YetOpen Srl

YetOpen - https://www.yetopen.com/

Via Salerno 18 - 23900 Lecco - ITALY -  | 4801 Glenwood Avenue - Suite 200 
- Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - info...@yetopen.com  | Phone +1 919-817-8106 - 
info...@yetopen.com

Think green - Non stampare questa e-mail se non necessario / Don't print this 
email unless necessary

 D.Lgs. 196/2003 e GDPR 679/2016 
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso 
esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da 
ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 
679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non 
autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad 
eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci 
non appena possibile.
Grazie.

Confidentiality notice: this email message including any attachment is for the 
sole use of the intended recipient and may contain confidential and privileged 
information;
pursuant to Legislative Decree 196/2003 and the European General Data 
Protection Regulation 679/2016 - GDPR - any unauthorized review, use, 
disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message 
without copying, printing or forwarding it to others, and alert us as soon as 
possible.
Thank you.

Re: [strongSwan] VPN Suddenly Stopped Forwarding Internet

2021-08-03 Thread Noel Kuntze 

Hello Jody,

Please provide the output of `iptables-save`, and the output of `ipsec 
statusall` once you tried to access the internet, but while the client is still 
connected.

Kind regards
Noel

Am 02.08.21 um 20:26 schrieb Jody Whitesides:

Having trouble trying to understand why VPN would suddenly stop allowing 
traffic to the internet (despite no changes to the server and was working fine 
for months). Devices can connect to the VPN and logs show they connect. 
However, they no longer get traffic to the internet or to the server itself. 
Unfortunately I don’t understand the logs enough to know the direct reason, but 
I’ve included some connection logs after the config. Any help that can lead to 
a fix would be appreciated.

Here’s the config:

config setup
         charondebug     ="dmn 1,mgr 1,ike 1,chd 1,job 1,cfg 1,knl 1,net 1,tls 1,lib 
1,enc 1,tnc 1"
         uniqueids       =no

conn %default
#        ike             =aes256-sha1-modp1024,3des-sha1-modp1024!
#        esp             =aes256-sha1,3des-sha1!
         fragmentation   =yes
         auto            =add
         dpdaction       =clear
         dpddelay        =40
         dpdtimeout      =130
         ikelifetime     =1h
         lifetime        =1h
         margintime      =9m
         rekeyfuzz       =100%
#        rekey           =yes
         aggressive      =no
         forceencaps     =yes
         left            =%any
         leftid          =(serverIP)
         leftcert        =(link to cert)
         leftsendcert    =always
         leftsubnet      =0.0.0.0/0,::/0
         right           =%any
         rightid         =%any
#        rightauth       =eap-mschapv2
         rightdns        
=45.76.254.23,172.98.193.62,2001:19f0:5401:2a4a:5400:03ff:fe2b:271f
         rightsourceip   =10.10.10.1/24
         rightsubnet     =%dynamic

#conn mac
#       keyexchange     =ikev1
#       authby          =xauthpsk
#       xauth           =server
#       reauth          =yes

conn ios
         ike             =aes256-sha1-modp1024,3des-sha1-modp1024!
         esp             =aes256-sha1,3des-sha1!
         keyexchange     =ikev1
         mobike          =yes
         reauth          =yes
         rekey           =yes
         leftallowany    =yes
         lefthostaccess  =yes
         leftfirewall    =yes
         leftauth        =pubkey
         rightallowany   =yes
         rightauth       =pubkey
         rightauth2      =xauth
         rightfirewall   =yes
         rightcert       =(link to cert)

conn ikev2-vpn
         ike             
=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes128-sha1-modp1024,aes256-sha1-modp1024,3d>
         esp             
=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
         keyexchange     =ikev2
         type            =tunnel
         compress        =no
         rekey           =no
         rightauth       =eap-mschapv2
         rightsendcert   =never
         eap_identity    =%identity

Here’s the Log:
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[NET] received packet: from 
[IP of Device][500] to [IP of Server][500] (848 bytes)
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[ENC] parsed ID_PROT request 
0 [ SA V V V V V V V V V V V V V V ]
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received NAT-T (RFC 
3947) vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-08 vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-06 vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-05 vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-04 vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-02 vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received XAuth vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received Cisco Unity 
vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received FRAGMENTATION 
vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received DPD vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] [IP of Device] is 
initiating a Main Mode IKE_SA
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[CFG] selected proposal: 
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[ENC] generating ID_PROT 
response 0